Yeah, but how do we know we can trust this jlick character?
Okay, I’ll go and get their worm. I hate my computer today anyway, maybe the worm could just eat the parts I don’t like.
[quote=“Ironman”]
How do we know that site is for real and we are not just going to download a worm or something.?[/quote]
That would be stupid … wouldn’t it?
Than everyone knows it was the guy who made it and are going to claim millions in damage …
isc.sans.org is a legitimate well known security site, and the patch author, Ilfak, is reputable.[/quote]
Yeah, I was similarly skeptical, until reading numerous recommendations by experts cited in mainstream publications. (E.g., Computerworld: “Ilfak Guilfanov is not a name I’d ever heard of before yesterday. Do I trust him and his patch? No, but I do trust the Internet Storm Center. I’ve been reading their site for several years now and know them to be on the forefront of securing the Internet. They say they’ve tested the patch and trust it. So I’ll trust the patch if disabling the vulnerable DLL is not an option.”) It was only after a number of reputable sites had tested and vouched for it that I downloaded it myself.
Apparently there are worms out there masquerading as patches, so generally you should only trust MS patches. This was a notable exception.
Personally, my knee-jerk reaction was that MS’s patch delay is a CYA strategy… if they release it with flaws, they’re blamed, while if you don’t have a patch yet and get hit on this exploit, it’s the malware’s fault, not MS’s. But to be fair, MS has to ensure that patches it releases can be trusted 100%, and that means no conflicts with an awful lot of third-party software out there. Extensive testing takes time. I’m told MS has 100 people working 24-7 on this particular patch.
I’m also told that MS doesn’t consider it to be as high-risk an exploit as the media; the vulnerability is not “wormable”. That is, you can’t be attacked except to the degree to which you can be manipulated into opening a malicious payload. At present, the only known vector is web-based. Finally, MS doesn’t want to put corporate tech support people through two patches in a row, as it’s a lot of work for them to install on hundreds or thousands of company computers.
I also got a hint that MS would release the patch earlier if in-the-field exploits suddenly become widespread. (“sources say”)
Sorry, I’m a Philistine, I’m aware of that, but I did get one of those FBI warning notices with an attachment and when I tried to open it my antivirus software said it had quarantined the Sober worm.
So I mean, that’s it right? Nothing to worry about. I’m up to date and that sucker got stopped . . . right? Now all I do is kill the e-mail . . but I like it, it made me sweat when I got it and it is quite funny.
HG
Today was expected to be a day of Sober worm attacks, on which you’re not supposed to open suspicious emails, and certainly not attachments therein.
Have you considered using Yahoo mail? They do a good job of filtering out SPAM, including virus-laden SPAM, as far as I understand it.
I’m a computer idiot, but as far as I can tell, if the thing is quarantined, you’re fine. Just don’t go opening stuff like that again.
Thanks Dragonbones.
Got that e-mail in my home Outlook account last week. I do have the latest antivirus stuff couretesy of work though, which is probably why I was so stupid as to try and open something attached to such an obviously dodgy e-mail.
Cheers.
HG
Up-to-date antivirals are out of date the moment a new piece of malware hits the web, which is all the time. Never open dodgy stuff; just trash it. 
According to several sites, you can also protect yourself from the WMF exploit by unregistering the DLL, which will also temporarily make apps unable to view thumbnails – but if you can live with that until Tuesday, you’re protected. To me, unregistering the DLL is unintelligible, but
handlers.dshield.org/jullrich/wmffaq.html gives explicit instructions on how to do so:
[quote]Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks… our editor keeps swallowing the backslashes… its %windir%(backslash)system32(backslash)shimgvw.dll), and then click OK.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Our current “best practice” recommendation is to both unregister the DLL and to use the unofficial patch.[/quote]
Sober virus is upating its payload intructions now. Payload instructions are those telling it what damage to cause.
So updating antivirus software and enabling desktop firewalls would be a good idea. Well protected machines and those with users who do not click on the lastest “FBI warning / Bin Laden naked” emails should be safe anyway 
Just got a heads up from friend in MS; they’ve released the WMF patch five days early in response to customer demand.
All MS system users should go to http://windowsupdate.microsoft.com
to update their patches immediately. Or go to Microsoft’s home page, and find the large Windows Metafile Security update (with the padlock pic) toward the upper right, and click on it.
If meltdown@hotmail.com adds you to their MSN
Contacts DO NOT add it because it’s a virus.
Spread the news fast because if somebody on your list accepts it then you
get the virus too
[quote=“Lo Bo To”]If meltdown@hotmail.com adds you to their MSN
Contacts DO NOT add it because it’s a virus.
Spread the news fast because if somebody on your list accepts it then you
get the virus too[/quote]
Attention, this seems to be a HOAX, it is false information!
hoax-slayer.com/msn-contact-virus-hoax.html
Hoaxes like this create panic and stop people from using services and use up a similar amount of time or bandwidth than a real virus.
Usually they have the “tell everyone you know” part in them!
EDIT: it seems to be a new translated version of this OLD Portuguese hoax:
We all want to update our antivirus software and do not want to click on funny email attachments and do not want to click on files called
WINZIP_TMP.exe
on network shares. It is the Nyxem.E virus deleting files on the HDD (on Feb 2nd it is scheduled for deletion again). This virus is spreading fast now.
Slowhand-email-clickers have nothing to worry IF they AVOID clicking on the file indicated above, which may rest on your C:\myshares or whatever folder.
f-secure.com/v-descs/nyxem_e.shtml
Another worm is going on house call … worm W32.Blackmal.@mm
It has his own SMTP server and therefor does not use your mail programs … on February 3th it will activate and possibly destroy following files;
.DOC, .XLS, .PPT, .ZIP, .PDF and others …
It replicates on all discs, storage media where possible, so check your computer for virii and don’t open weird looking e-mails … do it before Februari 3th
more info:
Blackmal and Nyxem are the same viruses, just different antivirus scanners gave them different names.
Latest worm: Kama Sutra
Caution: Some of these links might well be the worm.
Holy smokes, Batman. This is YET ANOTHER NAME for Nyxem. :loco:
Here’s SOME of the names this has been given by various antivirus and security groups:
Blackmal
Blackworm
Nyxem
Kama Sutra
MyWife
Tearec
Grew
KillAV
Kapser
CME-24
Things were much simpler when the naming discrepancies were whether they spelled it Beagle or Bagle. 
For your magic decoder ring, one place to look is the Common Malware Enumeration site.
By the way, I’m not ridiculing any of you about posting about the same virus three different times. This kind of thing is definitely ridiculous, but it’s not your fault everyone calls this thing by a different name.
CreateTextRange vulnarability of InternetExplorer can infect PC, already 200 websites known to infect, even respectable ones if they are hacked.
microsoft.com/technet/securi … 17077.mspx
Solution: switch off Active Scripting in IE or use another browser.
[quote=“bob_honest”]CreateTextRange vulnarability of InternetExplorer can infect PC, already 200 websites known to infect, even respectable ones if they are hacked.
microsoft.com/technet/securi … 17077.mspx
Solution: switch off Active Scripting in IE or use another browser.[/quote]
Will switching off Active Scripting cause any problems? :snoopy: